Excessive GITHUB_TOKEN permissions
==================================

.. list-table::
   :stub-columns: 1
   :widths: 20 80

   * - Rule ID
     - ``excessive_token_permissions``
   * - Category
     - security
   * - Severity
     - critical

Workflow uses permissions: write-all or does not restrict token scope. The GITHUB_TOKEN should follow least privilege — declare only the permissions actually needed.

Detection
---------

``static_analysis`` — Checks field presence or value in the workflow YAML.

Examples
--------

**Non-compliant:**

.. code-block:: yaml

   permissions: write-all
   jobs:
     build:
       steps:
         - uses: actions/checkout@v4
         - run: npm run build

**Compliant:**

.. code-block:: yaml

   permissions: {}
   jobs:
     build:
       permissions:
         contents: read
       steps:
         - uses: actions/checkout@v4
         - run: npm run build

**Fix**: Replace write-all with a minimal permissions block declaring only the scopes the workflow actually needs. Set permissions: {} at the workflow level and add per-job overrides.